Presence Health hit with $475K HIPAA enforcement fine for PHI breach

HHS’ Office of Civil Rights announced that it settled its first HIPAA enforcement action for lack of a timely notification of a breach. (Photo credit: Getty/designer491)

An Illinois health system has settled with the federal government for $475,000 for waiting three months to inform officials of a HIPAA violation that led to a breach of unsecured protected health information of more than 800 individuals.

Presence Health, one of the largest healthcare networks in Illinois, agreed to the fine and a corrective action plan (PDF) as part of a settlement with the Department of Health and Human Services’ Office for Civil Rights, the government's first enforcement action for untimely reporting of a breach of unsecured PHI.

Violations of the Health Insurance Portability and Accountability Act have most recently involved electronic health records. But the Presence Health breach was due to missing paper records.

Presence Health reported the October 2013 breach at the end of January 2014. Staff members discovered that more than 830 paper operating room schedules were missing from a surgical center at the system’s Presence St. Joseph Medical Center in Joliet, Illinois. The documents contained patient names, birth dates, medical record numbers and information on the procedures and surgeons.

Through its investigation, the OCR determined that Presence Health had no reason to delay notifying the patients affected by the breach, the OCR and prominent media outets, which is required in breaches that affect more than 500 people.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements,” OCR Director Jocelyn Samuels said in the announcement.

The OCR wasn’t shy about levying HIPAA fines last year, as fines hit record levels in the first part of 2016. The OCR doled out more than $15 million in fines during the first six months of the year alone, compared with $6.2 million for all of 2015.

The office also hit Advocate Health Care Network with a $5.5 million penalty, the largest HIPAA fine against a single entity, for the theft of four desktop computers than contained personal information for more than 4 million patients. OCR officials have said more fines are likely in the future, as it fields more than 20,000 HIPAA-related complaints a year.